iptables: introduce alternatives for /sbin/iptables and friends

Now the old iptables binary is server at /sbin/iptables-legacy.
Then, using the update-alternatives system one can choose which binary is going
to provide the actual /sbin/iptables tool, either iptables-legacy or
the newer iptables-compat (nf_tables compat).

The compat version is given more priority by default.
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>

debian/iptables-nftables-compat.postinst

+#!/bin/sh
+
+set -e
+
+if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ]; then
+	update-alternatives \
+	  --install /sbin/iptables iptables /sbin/iptables-compat 20 \
+	  --slave /sbin/iptables-restore iptables-restore /sbin/iptables-compat-restore \
+	  --slave /sbin/iptables-save iptables-save /sbin/iptables-compat-save
+	update-alternatives \
+	  --install /sbin/ip6tables ip6tables /sbin/ip6tables-compat-restore 20 \
+	  --slave /sbin/ip6tables-restore ip6tables-restore /sbin/ip6tables-compat-restore \
+	  --slave /sbin/ip6tables-save ip6tables-save /sbin/ip6tables-compat-save
+	update-alternatives \
+	  --install /sbin/arptables arptables /sbin/arptables-compat 20
+	update-alternatives \
+	  --install /sbin/ebtables ebtables /sbin/ebtables-compat 20
+fi
+
+#DEBHELPER#
+

debian/iptables-nftables-compat.prerm

+#!/bin/sh
+
+set -e
+
+if [ "$1" != "upgrade" ]; then
+    update-alternatives --remove iptables /sbin/iptables-compat
+    update-alternatives --remove ip6tables /sbin/ip6tables-compat
+    update-alternatives --remove arptables /sbin/arptables-compat
+    update-alternatives --remove ebtables /sbin/ebtables-compat
+fi
+
+#DEBHELPER#
+

debian/iptables.postinst

+#!/bin/sh
+
+set -e
+
+if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ]; then
+	update-alternatives \
+	  --install /sbin/ìptables iptables /sbin/iptables-legacy 10 \
+	  --slave /sbin/iptables-restore iptables-restore /sbin/iptables-legacy-restore \
+	  --slave /sbin/iptables-save iptables-save /sbin/iptables-legacy-save
+	update-alternatives \
+	  --install /sbin/ip6tables ip6tables /sbin/ip6tables-legacy 10 \
+	  --slave /sbin/ip6tables-restore ip6tables-restore /sbin/ip6tables-legacy-restore \
+	  --slave /sbin/ip6tables-save ip6tables-save /sbin/ip6tables-legacy-save
+fi
+
+#DEBHELPER#
+

debian/iptables.prerm

+#!/bin/sh
+
+set -e
+
+if [ "$1" != "upgrade" ]; then
+    update-alternatives --remove iptables /sbin/iptables-legacy
+    update-alternatives --remove ip6tables /sbin/ip6tables-legacy
+fi
+
+#DEBHELPER#
+

debian/rules

@@ -12,3 +12,13 @@ LIB_DIR := /usr/lib/$(DEB_HOST_MULTIARCH)
 override_dh_auto_configure:
 	dh_auto_configure -- --disable-libipq --enable-devel \
 			--libdir=$(LIB_DIR) --with-xtlibdir=$(LIB_DIR)/xtables
+
+override_dh_install:
+	dh_install
+	# leave room for having the nftables compat tools as the main binaries
+	mv debian/iptables/sbin/iptables debian/iptables/sbin/iptables-legacy
+	mv debian/iptables/sbin/iptables-restore debian/iptables/sbin/iptables-legacy-restore
+	mv debian/iptables/sbin/iptables-save debian/iptables/sbin/iptables-legacy-save
+	mv debian/iptables/sbin/ip6tables debian/iptables/sbin/ip6tables-legacy
+	mv debian/iptables/sbin/ip6tables-restore debian/iptables/sbin/ip6tables-legacy-restore
+	mv debian/iptables/sbin/ip6tables-save debian/iptables/sbin/ip6tables-legacy-save